The modus operandi of the new generation of cyber-attackers is best defined by two key facets. The first is that they are using stealthy and more advanced techniques that disguise known malware against static-based detection means such as signatures. The second is that attacks increasingly avoid use of the more traditional file-based delivery mechanisms that all anti-virus, and even some of the newer behavioral-based solutions, focus on.
In nearly all cases attackers have a lucrative, yet vulnerable target in sight - namely, the endpoint. Be it laptops, desktops, servers, mobile devices, POS (point of sale) or embedded devices, SCADA systems, and even IoT devices, the endpoint is both the entry point to the network for the attacker and the scene of the crime where we need to focus our efforts on detection and protection. In fact, it’s now estimated that around 70% of all data breaches involve malicious attacks on endpoints.
However, it’s becoming harder for organizations to rely on the traditional, static techniques of malware detection and protection. All of the anti-virus and perimeter protection in the world can’t protect against these forms of attack, particularly in a world where sensitive data is, as likely as not, to reside on a mobile device or in the cloud.
The age of targeted attacks created by well-resourced teams, demands a new way of managing and mitigating the more advanced threats targeting the endpoint.
Masters of disguise
In order to better protect against these endpoint attacks, we have to know our enemy well. But more importantly we have to keep a close eye on the techniques they’re using to infect the endpoint. Understanding what they’re doing and why the endpoint has become a key target is the first step in mitigating the risks that these malicious attacks pose.
What we should remember is that, whilst malware at its core hasn’t changed significantly - and ransomware is still ransomware – the methods used to evade detection and compromise a system, have evolved. Evasion techniques such as wrappers - which protect executable files - enable malware to bypass every security mechanism to find its way to the endpoint.
The defensive approach of protection based on existing knowledge of an attack is increasingly futile: anti-virus is static and looks at the hash or fingerprint of the file which can be easily changed by attackers who will simply mutate their creations or change the file’s signature to evade anti-virus. They can also execute through file-less attacks which could be downloaded by something as simple as browsing a website. This type of malware can’t be picked up by anti-virus as it exists only in the memory rather than on the target’s hard drive.
Context-aware malware will recognize if it’s in a virtualized environment rather than running on the device it wants to compromise. This creates limitations in its use for detecting zero-day malware and stealthy attacks and it can take advantage of inherent conceptual sandbox faults (limited emulation time, lack of user interaction, and relying only on a specific image of the OS). If there’s nothing to detect unusual behavior at this point, the attacker can execute the malicious code.
Reaching the target
We can regain control of the endpoint, but rather than focusing on what the exploit is, we need to look at how it acts. Focusing on the malware’s behavior means that we’re not reliant on static indicators that can be easily changed. Sophisticated machine learning, examining attack patterns, evasion techniques and up-to-the-minute crowdsourced threat intelligence can provide the insight to predict what the malware will do next, and stop it before it advances. Real-time monitoring and analysis of application and process behavior and the ability to determine the context of the attack, and can minimize the possibility of false positives.
Taking control of endpoint security also means we need to manage and reduce the attack surface itself. In tandem with these new approaches to protection, we need to take a holistic look at the network, closely monitoring activity for potential C&C communications or lateral movement; and high-risk applications that users may not even be aware that they’re resident on their system.
In this way, whilst malware is getting more advanced, and the devices through which they can launch an attack multiply, organizations can protect against malware which has been specifically designed to slip through the traditional security safety nets.